pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/lang
Module Name: pkgsrc
Committed By: bsiegert
Date: Tue Oct 7 20:26:56 UTC 2025
Modified Files:
pkgsrc/lang/go: version.mk
pkgsrc/lang/go124: PLIST distinfo
pkgsrc/lang/go125: PLIST distinfo
Log Message:
go: update to 1.24.8 and 1.25.2 (security)
These minor releases include 10 security fixes following the security policy:
- net/mail: excessive CPU consumption in ParseAddress
The ParseAddress function constructed domain-literal address components
through repeated string concatenation. When parsing large domain-literal
components, this could cause excessive CPU consumption.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
This is CVE-2025-61725 and Go issue https://go.dev/issue/75680.
- crypto/x509: quadratic complexity when checking name constraints
Due to the design of the name constraint checking algorithm, the processing
time of some inputs scales non-linearly with respect to the size of the
certificate.
This affects programs which validate arbitrary certificate chains.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58187 and Go issue https://go.dev/issue/75681.
- crypto/tls: ALPN negotiation errors can contain arbitrary text
The crypto/tls conn.Handshake method returns an error on the server-side
when ALPN negotation fails which can contain arbitrary attacker controlled
information provided by the client-side of the connection which is not
escaped.
This affects programs which log these errors without any additional form of
sanitization, and may allow injection of attacker controlled information
into logs.
Thanks to National Cyber Security Centre Finland for reporting this issue.
This is CVE-2025-58189 and Go issue https://go.dev/issue/75652.
- encoding/pem: quadratic complexity when parsing some invalid inputs
Due to the design of the PEM parsing function, the processing time for some
inputs scales non-linearly with respect to the size of the input.
This affects programs which parse untrusted PEM inputs.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-61723 and Go issue https://go.dev/issue/75676.
- net/url: insufficient validation of bracketed IPv6 hostnames
The Parse function permitted values other than IPv6 addresses to be included
in square brackets within the host component of a URL. RFC 3986 permits IPv6
addresses to be included within the host component, enclosed within square
brackets. For example: "http://[::1]/";. IPv4 addresses and hostnames must
not appear within square brackets. Parse did not enforce this requirement.
Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University
for reporting this issue.
This is CVE-2025-47912 and Go issue https://go.dev/issue/75678.
- encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
When parsing DER payloads, memories were being allocated prior to fully
validating the payloads. This permits an attacker to craft a big empty DER
payload to cause memory exhaustion in functions such as asn1.Unmarshal,
x509.ParseCertificateRequest, and ocsp.ParseResponse.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58185 and Go issue https://go.dev/issue/75671.
- net/http: lack of limit when parsing cookies can cause memory exhaustion
Despite HTTP headers having a default limit of 1 MB, the number of cookies
that can be parsed did not have a limit. By sending a lot of very small
cookies such as "a=;", an attacker can make an HTTP server allocate a large
amount of structs, causing large memory consumption.
net/http now limits the number of cookies accepted to 3000, which can be
adjusted using the httpcookiemaxnum GODEBUG option.
Thanks to jub0bs for reporting this issue.
This is CVE-2025-58186 and Go issue https://go.dev/issue/75672.
- crypto/x509: panic when validating certificates with DSA public keys
Validating certificate chains which contain DSA public keys can cause
programs to panic, due to a interface cast that assumes they implement the
Equal method.
This affects programs which validate arbitrary certificate chains.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58188 and Go issue https://go.dev/issue/75675.
- archive/tar: unbounded allocation when parsing GNU sparse map
tar.Reader did not set a maximum size on the number of sparse region data
blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive
containing a large number of sparse regions could cause a Reader to read an
unbounded amount of data from the archive into memory. When reading from a
compressed source, a small compressed input could result in large
allocations.
Thanks to Harshit Gupta (Mr HAX) for reporting this issue.
This is CVE-2025-58183 and Go issue https://go.dev/issue/75677.
- net/textproto: excessive CPU consumption in Reader.ReadResponse
The Reader.ReadResponse function constructed a response string through
repeated string concatenation of lines. When the number of lines in a
response is large, this could cause excessive CPU consumption.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-61724 and Go issue https://go.dev/issue/75716.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.25.2
To generate a diff of this commit:
cvs rdiff -u -r1.237 -r1.238 pkgsrc/lang/go/version.mk
cvs rdiff -u -r1.6 -r1.7 pkgsrc/lang/go124/PLIST
cvs rdiff -u -r1.8 -r1.9 pkgsrc/lang/go124/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/lang/go125/PLIST
cvs rdiff -u -r1.2 -r1.3 pkgsrc/lang/go125/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/lang/go/version.mk
diff -u pkgsrc/lang/go/version.mk:1.237 pkgsrc/lang/go/version.mk:1.238
--- pkgsrc/lang/go/version.mk:1.237 Sat Sep 6 12:54:33 2025
+++ pkgsrc/lang/go/version.mk Tue Oct 7 20:26:56 2025
@@ -1,4 +1,4 @@
-# $NetBSD: version.mk,v 1.237 2025/09/06 12:54:33 bsiegert Exp $
+# $NetBSD: version.mk,v 1.238 2025/10/07 20:26:56 bsiegert Exp $
#
# If bsd.prefs.mk is included before go-package.mk in a package, then this
@@ -6,8 +6,8 @@
#
.include "go-vars.mk"
-GO125_VERSION= 1.25.1
-GO124_VERSION= 1.24.7
+GO125_VERSION= 1.25.2
+GO124_VERSION= 1.24.8
GO123_VERSION= 1.23.12
GO122_VERSION= 1.22.12
GO120_VERSION= 1.20.14
Index: pkgsrc/lang/go124/PLIST
diff -u pkgsrc/lang/go124/PLIST:1.6 pkgsrc/lang/go124/PLIST:1.7
--- pkgsrc/lang/go124/PLIST:1.6 Wed Jul 9 07:41:35 2025
+++ pkgsrc/lang/go124/PLIST Tue Oct 7 20:26:56 2025
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.6 2025/07/09 07:41:35 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.7 2025/10/07 20:26:56 bsiegert Exp $
bin/go${GOVERSSUFFIX}
bin/gofmt${GOVERSSUFFIX}
go124/CONTRIBUTING.md
@@ -57,7 +57,8 @@ go124/lib/fips140/Makefile
go124/lib/fips140/README.md
go124/lib/fips140/fips140.sum
go124/lib/fips140/inprocess.txt
-go124/lib/fips140/v1.0.0.zip
+go124/lib/fips140/v1.0.0-c2097c7c.zip
+go124/lib/fips140/v1.0.0.txt
go124/lib/time/README
go124/lib/time/mkzip.go
go124/lib/time/update.bash
@@ -138,6 +139,7 @@ go124/src/archive/tar/testdata/gnu-nil-s
go124/src/archive/tar/testdata/gnu-nil-sparse-hole.tar
go124/src/archive/tar/testdata/gnu-not-utf8.tar
go124/src/archive/tar/testdata/gnu-sparse-big.tar
+go124/src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2
go124/src/archive/tar/testdata/gnu-utf8.tar
go124/src/archive/tar/testdata/gnu.tar
go124/src/archive/tar/testdata/hardlink.tar
@@ -13260,6 +13262,7 @@ go124/test/fixedbugs/issue7538a.go
go124/test/fixedbugs/issue7538b.go
go124/test/fixedbugs/issue7547.go
go124/test/fixedbugs/issue7550.go
+go124/test/fixedbugs/issue75569.go
go124/test/fixedbugs/issue7590.go
go124/test/fixedbugs/issue7648.dir/a.go
go124/test/fixedbugs/issue7648.dir/b.go
Index: pkgsrc/lang/go124/distinfo
diff -u pkgsrc/lang/go124/distinfo:1.8 pkgsrc/lang/go124/distinfo:1.9
--- pkgsrc/lang/go124/distinfo:1.8 Sat Sep 6 12:54:33 2025
+++ pkgsrc/lang/go124/distinfo Tue Oct 7 20:26:56 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.8 2025/09/06 12:54:33 bsiegert Exp $
+$NetBSD: distinfo,v 1.9 2025/10/07 20:26:56 bsiegert Exp $
-BLAKE2s (go1.24.7.src.tar.gz) = ce05bb8d4f1c68ad3f35466dd43aacb176c71cab03a355d15b1d3ae9c225851f
-SHA512 (go1.24.7.src.tar.gz) = 656bb879244ba888af18b6e609fb2c4bc067b919827b9026c3ee44b3e2d0c7bffde262945de989880066196846b669c215da2e8c5d9adfb8491bb5d52af0d49a
-Size (go1.24.7.src.tar.gz) = 30794506 bytes
+BLAKE2s (go1.24.8.src.tar.gz) = 0955f60915a81bdb8d4d468d038ad4ebb597355a8b2df5d5737d06dfb41b2f9c
+SHA512 (go1.24.8.src.tar.gz) = 3233c75223b310d14ccb1846e192d0d4867e8ecc1091c9853bc536f5051cdfb8682ae2f86b5caec77b1f3cbfaf5864c9231fb3a756471ff77d7a904e79bb3f15
+Size (go1.24.8.src.tar.gz) = 30797581 bytes
SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
Index: pkgsrc/lang/go125/PLIST
diff -u pkgsrc/lang/go125/PLIST:1.1 pkgsrc/lang/go125/PLIST:1.2
--- pkgsrc/lang/go125/PLIST:1.1 Sat Aug 16 15:52:03 2025
+++ pkgsrc/lang/go125/PLIST Tue Oct 7 20:26:56 2025
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.1 2025/08/16 15:52:03 bsiegert Exp $
+@comment $NetBSD: PLIST,v 1.2 2025/10/07 20:26:56 bsiegert Exp $
bin/go${GOVERSSUFFIX}
bin/gofmt${GOVERSSUFFIX}
go125/CONTRIBUTING.md
@@ -57,7 +57,8 @@ go125/lib/fips140/Makefile
go125/lib/fips140/README.md
go125/lib/fips140/fips140.sum
go125/lib/fips140/inprocess.txt
-go125/lib/fips140/v1.0.0.zip
+go125/lib/fips140/v1.0.0-c2097c7c.zip
+go125/lib/fips140/v1.0.0.txt
go125/lib/time/README
go125/lib/time/mkzip.go
go125/lib/time/update.bash
@@ -124,6 +125,7 @@ go125/src/archive/tar/testdata/gnu-nil-s
go125/src/archive/tar/testdata/gnu-nil-sparse-hole.tar
go125/src/archive/tar/testdata/gnu-not-utf8.tar
go125/src/archive/tar/testdata/gnu-sparse-big.tar
+go125/src/archive/tar/testdata/gnu-sparse-many-zeros.tar.bz2
go125/src/archive/tar/testdata/gnu-utf8.tar
go125/src/archive/tar/testdata/gnu.tar
go125/src/archive/tar/testdata/hardlink.tar
@@ -9412,6 +9414,7 @@ go125/src/runtime/debuglog.go
go125/src/runtime/debuglog_off.go
go125/src/runtime/debuglog_on.go
go125/src/runtime/debuglog_test.go
+go125/src/runtime/decoratemappings_test.go
go125/src/runtime/defer_test.go
go125/src/runtime/defs1_linux.go
go125/src/runtime/defs1_netbsd_386.go
@@ -13578,6 +13581,7 @@ go125/test/fixedbugs/issue7538a.go
go125/test/fixedbugs/issue7538b.go
go125/test/fixedbugs/issue7547.go
go125/test/fixedbugs/issue7550.go
+go125/test/fixedbugs/issue75569.go
go125/test/fixedbugs/issue7590.go
go125/test/fixedbugs/issue7648.dir/a.go
go125/test/fixedbugs/issue7648.dir/b.go
Index: pkgsrc/lang/go125/distinfo
diff -u pkgsrc/lang/go125/distinfo:1.2 pkgsrc/lang/go125/distinfo:1.3
--- pkgsrc/lang/go125/distinfo:1.2 Sat Sep 6 12:54:33 2025
+++ pkgsrc/lang/go125/distinfo Tue Oct 7 20:26:56 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.2 2025/09/06 12:54:33 bsiegert Exp $
+$NetBSD: distinfo,v 1.3 2025/10/07 20:26:56 bsiegert Exp $
-BLAKE2s (go1.25.1.src.tar.gz) = 72f1278bbe406337a11fef85da52063ce1fed9c9ae456ddaaf28f908980794ab
-SHA512 (go1.25.1.src.tar.gz) = e77ae799a0dcd4ded40a196c3645da5b7e808e417831d2c5441387b0fd0ed5f946b678305294c52fda0a258889225c24c6073bb0973c3531ba4aa107b6afe849
-Size (go1.25.1.src.tar.gz) = 31974863 bytes
+BLAKE2s (go1.25.2.src.tar.gz) = 7bb077ae4666f53b7e3203464817ee3a54c016a4b1f59bbce1af46133600c766
+SHA512 (go1.25.2.src.tar.gz) = 2700ceca314bb78b8ff97aa8703442b60eceb3acbad46b7959739bb0399174f27af372c7f72cd1adb83997adacbf43e2e2572e85fa5cf2a18271d0ef1ee0b8b4
+Size (go1.25.2.src.tar.gz) = 31978632 bytes
SHA1 (patch-misc_ios_clangwrap.sh) = 28ea4426336155d6720f7e16b43f0207b47a6dd8
SHA1 (patch-src_cmd_dist_build.go) = cbb9576f832806b0cbef121ea38ba6a54db95bc3
SHA1 (patch-src_crypto_x509_root__bsd.go) = 0b5dead901450967109303f873a2696c65ccac35
Home |
Main Index |
Thread Index |
Old Index